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ABSTRACT 

Suppliers (including companies and individual prosumers) 
may wish to protect their private information when selling 
items they have in stock. A market is envisaged where pri¬ 
vate information can be protected through the use of dif¬ 
ferential privacy and option contracts, while privacy-aware 
suppliers deliver their stock at a reduced price. In such a 
marketplace a broker acts as intermediary between privacy- 
aware suppliers and end customers, providing the extra items 
possibly needed to fully meet the customers’ demand, while 
end customers book the items they need through an option 
contract. All stakeholders may benefit from such a market¬ 
place. A formula is provided for the option price, and a 
budget equation is set for the mechanism to be profitable 
for the broker/producer. 

Categories and Subject Descriptors 

H. 2.8 [Database Management]: Database Applications— 
Statistical databases', J.4 [Social and behavioral sciences]: 
Economics 
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I. INTRODUCTION 

When dealing with privacy in a marketplace, the accent 
is often on customers’ privacy, who may not wish to divulge 
many private details or even the items they are purchasing. 
Platforms have been devised to enforce customers’ privacy 
requirements over the complete lifecycle of private data 1^. 
A market for customers’ privacy is expected to emerge 1^. 
Instead, little attention has been paid to the wish of suppli¬ 
ers to protect their private information. Typically a com¬ 
pany may wish to select the level of information it provides 
to its customers, but the widespread adoption of e-shops 
divulges a lot of details about company’s operations, not 
just to prospective customers but to everyone accessing the 
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e-commerce platform, including competitors. In addition, 
suppliers may now be not just companies but individuals 
(prosumers) who wish to sell product they happen to own 



However, companies may wish to keep their data (e.g., 
their level of stock for a given product) secret. At the same 
time individuals acting as suppliers may wish not to be pro¬ 
filed and keeping secret the products they happen to own. 
The definition of a marketplace where suppliers can sell their 
products while retaining privacy is then a relevant issue. 

In this paper, we claim that such a marketplace may be set 
up with benefits for all the stakeholders (a broker/producer, 
privacy-aware suppliers, and end customers) through the use 
of differential privacy mechanisms and option contracts sub¬ 
scribed by end customers. We define such a marketplace by 
identifying all the relevant cash flows. We provide a for¬ 
mula for the price of the option contract and set the budget 
equation for the broker for the mechanism to be prohtable. 

The paper is organized as follows. The market is described 
in Section]^ while the option price is derived in Sectionj^and 
employed to set an overall budget equation for the broker in 
Section IH 

2. MARKET DEFINITION 

Let’s consider a database of suppliers where information 
can be obtained about the availability of a set of items, but 
suppliers are somewhat screened. Suppliers could be ven¬ 
dors whose typical line of business does not include those 
products or wish to get rid of some remainders, or individu¬ 
als (prosumers) who happen to have those products in their 
availability. For example, the database could contain the 
number of items available for sale at each supplier, so that 
the vertical sum across all suppliers included in the database 
would tell us the overall number of items available. Such a 
database, providing statistics about the entities included in 
it, is called a statistical database [^. However, in a sta¬ 
tistical database releasing statistical information may com¬ 
promise the privacy of individual contributors. But suppliers 
may wish not to divulge those information; for example they 
do not want competitors (who could access the database) to 
know their level of stock, or, as individuals, they do not wish 
to be profiled about the items they own. If suppliers wish 
to be screened, a curator may sit between the users, posing 
the query, and the database. The responses to these queries 
may be modified by the curator in order to protect the pri¬ 
vacy of the contributors [^, for example so as not to tell 
us exactly either which supplier can provide us with those 
items or how many items in the set are available. Instead of 


providing the exact number, the database provides us with 
an obfuscated number, which is more or less close to the 
exact figure. A mechanism to achieve differential privacy is 
the use of noisy sums: the response to a counting query is 
the sum of the true figure and some noise [^. The use of a 
statistical database plus the use of noisy sums may therefore 
protect the private information of suppliers. 

When end customers demand for a number of items, the 
uncertainty surrounding the actual availability of those items 
doesn’t allow to close deals. In the presence of such privacy 
constraints, we postulate that a market can develop through 
the introduction of a broker/producer and the use of option 
contracts. 

Let’s consider the case where end customers demand for 
k* items. A broker commits to provide them with the num¬ 
ber of items required. In fact, the broker may procure those 
items either by producing them itself (at a unit production 
cost Cp) or by resorting to privacy-aware suppliers, whose 
availability is known through the statistical database previ¬ 
ously mentioned. As already said, privacy-aware suppliers 
do not release full information about the availability of their 
products, but release instead an obfuscated number k, which 
is generally different from the true number k of items that 
they can provide (though the broker may obtain a refined 
estimate of the true number through Bayesian analysis [^). 

The privacy enjoyed by privacy-aware suppliers is reflected 
in the price Cg they advertise. Prices set by privacy-aware 
suppliers depend on the level of obfuscation (i.e. privacy 
protection): the higher the level of obfuscation (embodied 
by the variance of the added noise), the lower the price. As¬ 
suming Cs < Cp, the broker has a real advantage to procure 
as many items as it can through privacy-aware suppliers at 
the reduced price Cg, and transfer part of that benefit to end 
customers by setting a lower end price. If the availability 
of items is not enough to satisfy the demand {k < k*), the 
broker/producer produces the remaining items (but does not 
enjoy the full benefit of the reduced price). 

In order to exploit the offer by privacy-aware suppliers, the 
broker submits a query to the statistical database containing 
information about the availability of items and pays a fixed 
amount Cq and receives the noisy response k. It commits 
to buy all the k items available, though they may exceed 
the actual demand k* . When the actual number of available 
items is disclosed (at delivery), it pays the privacy-aware 
suppliers the overall amount Cgk. If the demand is fully 
met {k > k*) the broker does not have to produce any item; 
otherwise, the broker has to produce k* —k items at the unit 
cost Cp. The resulting supply chain is shown in Figure 

However, such a procedure is not free of risks for the bro¬ 
ker/producer, which, on the one hand commits to provide its 
customers with the required items, but on the other hand 
is subject to the uncertainty determined by the unknown 
availability of items delivered by privacy-aware suppliers, 
with the risks deriving from the commitments to buy all the 
items available and, if required, to produce the remaining 
ones at a higher cost. 

The broker/producer has therefore to hedge against such 
risks. A way we suggest is to resort to option contracts, 
which are described in the next section. 

3. OPTION CONTRACTS 

As seen in the previous section, the broker/producer un¬ 
dergoes a risk when resorting to privacy-aware suppliers in 



Figure 1: Supply relationships 


order to meet customers’ demand at a reduced cost, which it 
transfers to end customers through a reduced price. It needs 
however to hedge against such a risk. In this section we de¬ 
scribe a mechanism, based on option contracts, by which it 
can achieve such protection. 

Since the stakeholders that ultimately benefit from resort¬ 
ing to privacy-aware suppliers are end customers, the bro¬ 
ker/producer may transfer some of that risk to them, asking 
them to pay a price to get the right to buy the desired num¬ 
ber of items at a predetermined lower price (i.e., a booking 
fee). In the language of financial markets, this is a call op¬ 
tion, since it endows the end customer with the right to buy 

. End customers are then required to subscribe a call op¬ 
tion to be sure to get the right number of items the wish at 
a reduced price. 

A critical issue in option contract is setting the right price. 
In the typical scenario, the amount to be paid for the option 
contract is expected to depend on the current value of the 
items for sale, the predetermined price to be paid if the 
option is exercised, and the expected behaviour of the item’s 
value in the period from the option contract underwriting 
to the exercise time. A simple form of pricing is given by 
the Black-Scholes formula [^, but a form tailored for the 
context is to be derived here. In the risk of having to 
buy the items exceeding the demand has been analysed, and 
the following pricing formula has been derived for the case 
where Laplacian noise is added to form the noisy sum [10| : 

( 1 ) 

where A is the shape parameter of the Laplace distribution: 
the smaller A, the greater the differential privacy. This ex¬ 
pression considers just the risk transfer concerning the extra¬ 
cost of buying the excess items provided by privacy-ware 
suppliers and does not consider the end price paid by cus¬ 
tomers. As can be seen in Equation 0. the price is basically 
the cost of the actual number of excess items plus a term 
that accounts for the introduction of noise in the database 
response and vanishes as A grows towards infinity (i.e., as 
the level of privacy reduces) and the declared number of 
available items gets farther from the demand. In Figure 
we can see how the option price moves for three different 
values of A and Cs = 1. The difference with respect to the 


Popt = Efe |^(fc - fc*)'''Ca|fcj = Cg 













cost of the actual number of excess items is significant just 
when the number of declared items is close to the demand. 



Figure 2: Option price 

We can consider that difference as the premium to be 
paid to cover the uncertainty introduced to Laplacian noise. 
After defining the premium 

A = c, [Efc(fc-fc*)+-(fc-fc*)+] (2) 

we show it in Figure for the same case reported in Fig¬ 
ure We see that the premium gets its maximum when the 
number k of declared items is exactly equal to the demand: 
the impact of uncertainty, and the protection from risk, is 
more expensive when the noisy response appears to exactly 
fit the demand. 



Figure 3: Premium 


4. BROKER’S BUDGET 

The option price reported in Section is just of the eco¬ 
nomic components in the interaction between the broker, 
the privacy-aware suppliers and the end customers. In or¬ 
der to examine the profitability of the market mechanism 
for the broker/producer, we must get an overall view. In 
this section, we review all the cash flows concerning the bro¬ 
ker/producer and write a budget equation. 

The broker’s expenses are represented by: 


• a hxed contribution Cq for the query, depending on the 
noise variance; 

• a unit price Cg for each item supplied by privacy-aware 
suppliers 

• an internal unit cost Cp for each item it must produce 
to meet the demand if the items delivered by privacy- 
aware suppliers are not enough. 

On the other hand, the revenues are: 

• the option price Popt, for letting its end customer the 
opportunity to benefit from the lower priced items of¬ 
fered by privacy-aware suppliers; 

• the unit price Ps for each item delivered to end cus¬ 
tomers. 


The overall proht B for the producer is then 

B = Popt + k* ■ ps — Cq — k ■ Ca — (k* — k)^Cp (3) 


Among the items entering the budget equation, we have 
already derived in Section[^a preliminary expression for the 
option price (which does not take into account the end price 
Ps). As to the query cost Cq, for the time being we consider it 
as a hxed quantity, though for linear queries arbitrage-free 
pricing mechanisms have been proposed in [^. Similarly, 
though in the following we assume Cs to be hxed, we expect 
it to be a function of the level of diherential privacy. 

If the broker knew in advance the actual number of items 
delivered by privacy-aware suppliers, it could set the end 
price Pa so as to strike a proht: 

- (4) 

Unfortunately that’s not the case, and Equation Q contains 
a stochastic component due to k. 

If we look for a price capable of delivering a proht on the 
average, and recalling Equation 0. the end price can be 
computed as follows (where, for simplicity, we have omit¬ 
ted the conditioning of all expected values on the declared 
number k) 

^ Cq -|-Efc[A:] • Ca -|-Efc[(fc* - fc)+]cp-popt 

^ (5) 

_ Cq -I- fc • Ca -I- Kk[{k* - fc)+]cp - Ej, [(A: - fc*)+] Cs 

k* 

Again assuming a Laplace distribution for the added noise 
as in the computation of the option price, we can obtain 


, ^ -A|fe-fe*| „-Afe 

E4(fc* - fe)+] = (r - fej -f 


2A 




( 6 ) 

Introducing this expression in Equation 0 and rearranging 
terms, we obtain the hnal expression 


Pa > 


Cq + k-Cs + Cp (^k* — — Cs (k — k*^ 


(Cp Cs) 


k* 

A|fc-fc*| 


- f {k* + i) 


(7) 


In order to obtain a practical mechanism to set the end 
price, we expect to introduce the dependence of the query 
price Cq and the privacy-aware suppliers’ price Ca on the level 
of differential privacy. 




















5. BENEFITS 

All the stakeholders are expected to benefit from the ex¬ 
istence of such a market. 

Privacy-aware suppliers are able to sell their products pro¬ 
tecting their privacy at the same time. Though they are 
expected to sell at a lower price, they can decide the obfus¬ 
cation level (i.e. the level of protection of their privacy) and 
establish the desired trade-off between privacy and profits. 

On the other hand, the broker/producer can beneht from 
its dual role. As a producer it may sell its products at the 
current price but obtain an additional stream of revenue by 
selling option rights. As a broker, it may exploit the option 
mechanism and provide its end customers with the required 
number of items while taking advantage of the reduced price 
offered by privacy-aware suppliers. In a profitable context, 
the broker is incentivized to be trustable and keep the secret 
on the actual number of available items when it is disclosed 
at delivery. 

Finally, end customers are certain to obtain the number 
of items they want, while taking advantage of privacy-aware 
price reductions at the same time. 

6. CONCLUSIONS 

A marketplace has been envisaged where suppliers may 
retain their private information (e.g., their identity, and the 
type and quantity of items they stock). A broker acts be¬ 
tween end customers and privacy-aware suppliers, employing 
option contracts to guarantee the full delivery of items. A 
formula has been provided for the option price, protecting 
the broker against the risk of buying items in excess of those 
demand by end customers. The option price is the cost of 
the actual number of excess items plus a term that accounts 
for the introduction of noise in the database response and 
vanishes as the level of privacy reduces and the declared 
number of available items gets farther from the true one. 
The budget equation for the broker has also been set, and a 
formula has been derived for the minimum price to get the 
mechanism profitable for the broker on the average. 
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